Pages:
Author

Topic: Secure messengers: are there any? - page 2. (Read 1961 times)

legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
July 22, 2015, 01:01:44 PM
#12
You want SureSpot. End to end encryption, full deletion permissions, and open source.   Wink

https://www.surespot.me/

It's free, but the author has a bitcoin address in the app for tipping!

Let me get this straight.  This app is designed to run only on fully compromised (back doored) devices right?  

Lets move past that for a second and assume we don't care about those players who have that access, and are just trying to fend off script kiddies and low level advertisers / spamz0rs.

Now, where is my private key stored?  How do I verify that I have the public key of your private key, in other words how do we know there is no MIM going on?  

Is a key fingerprint easily available?  


I use only jailbroken phones that I modify. It runs fine on my BLU phone. If you are concerned about what it does then I suggest you download the source and compile it for yourself.
When you want to invite someone it can be done in-app. You just need their username to directly connect to them. This app is not tied to a phone number or an email, or identity at all. Not that my phone is connect to me anyway.  Wink
legendary
Activity: 1066
Merit: 1050
Khazad ai-menu!
July 22, 2015, 12:49:18 PM
#11
You want SureSpot. End to end encryption, full deletion permissions, and open source.   Wink

https://www.surespot.me/

It's free, but the author has a bitcoin address in the app for tipping!

Let me get this straight.  This app is designed to run only on fully compromised (back doored) devices right?  

Lets move past that for a second and assume we don't care about those players who have that access, and are just trying to fend off script kiddies and low level advertisers / spamz0rs.

Now, where is my private key stored?  How do I verify that I have the public key of your private key, in other words how do we know there is no MIM going on?  

Is a key fingerprint easily available?  

    

legendary
Activity: 2926
Merit: 1386
July 22, 2015, 12:48:52 PM
#10
Hey guys, I'd like to bring up a question of finding a secure, fast and easy to use messenger application. Since cryptocommunity is based pretty heavily on privacy, decentralization, etc. I thought this is a good place to talk about that.....
Passenger pigeons.

Can't beat them.
legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
July 22, 2015, 12:25:25 PM
#9
You want SureSpot. End to end encryption, full deletion permissions, and open source.   Wink

https://www.surespot.me/

It's free, but the author has a bitcoin address in the app for tipping!
legendary
Activity: 1066
Merit: 1050
Khazad ai-menu!
July 22, 2015, 12:23:28 PM
#8
GPG/PGP is the standard solution.   

"Messengers"  are underlying transport protocols.  What keeps something secure is the next layer on top.  A quick check is to say "did a company produce this?"  If the answer is yes, than you aren' t using a secure protocol. 
hero member
Activity: 602
Merit: 500
hyperboria - next internet
July 22, 2015, 10:07:20 AM
#7
bitmessenger maybe?
hero member
Activity: 770
Merit: 509
July 22, 2015, 09:53:43 AM
#6
I remember a while ago reading about some sort of decentralized skype called Tox. Not sure if the project is still being developed or not.

https://en.wikipedia.org/wiki/Tox_%28software%29
member
Activity: 72
Merit: 10
July 22, 2015, 08:50:09 AM
#5
Have a look at threema: https://threema.ch/en/

It's quite popular in western europe. Unfortunately no open-source, but AFAIR the code was security-reviewed by an independant expert.

Yeah, this one seems all right, a million downloads in the playstore, no data storage/mining by provider. But, like you said, it's not open-source, nor is it p2p, hence not 100% private. Independent experts and service providers can be bought/coerced into disclosing users' personal data. It's doubtful that anyone will bother right now, but when and if it grows, it can become a vulnerable target.

Another problem with it is that it's not free, which means that it won't enjoy a similar level of natural growth that free counterparts, like WhatsApp or Telegram do, and I can't just ask all my friends and colleagues use it. So it's either going to remain on this unpopular level, where I can't really use it, or it will grow and with it will grow the probability of gvt. agencies tapping into it.

What I think this shows is the fundamental problem that any messenger has to face: it's either going to rely on a financially- and/or technologically-intensive solution, which will make it less popular and thus less usable, or decrease the complexity of the underlying solution to attract a larger userbase, in exchange for fundamental flaws, which may ultimately lead to security leaks. I think, when someone finds out a way to integrate a p2p solution in a mobile app in a cheap and computationally efficient way, and markets it right, they will be golden. So far I've failed to find such an app.

OTR
https://en.wikipedia.org/wiki/Off-the-Record_Messaging
Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations.

This is nice, never heard of it. Found a report about some security vulnerabilities found by the EFF and less-then-optimal battery usage by the Diffie-Hellman protocol, but overall it seems legit. Have you been using any of its mobile implementations yourself?

What about ICQ , how save is it ?
For privacy I guess you could go with MEGA-CHAT which is made by Kim Dotcom (we all know his problems with NSA and their spying ) but it's still on BETA phase AFAIK

Look it up, man. I've just found several reports on ICQ's vulnerability, here's just one of them. Anyway, it's pretty apparent, since it uses proprietary software and servers, that it isn't and can't be secure.

I failed to find a mobile version for the MegaChat, is there one?
sr. member
Activity: 280
Merit: 250
July 22, 2015, 07:11:02 AM
#4
What about ICQ , how save is it ?
For privacy I guess you could go with MEGA-CHAT which is made by Kim Dotcom (we all know his problems with NSA and their spying ) but it's still on BETA phase AFAIK
sr. member
Activity: 249
Merit: 250
July 22, 2015, 07:00:44 AM
#3
OTR
https://en.wikipedia.org/wiki/Off-the-Record_Messaging
Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations.
legendary
Activity: 924
Merit: 1000
July 22, 2015, 01:36:40 AM
#2
Have a look at threema: https://threema.ch/en/

It's quite popular in western europe. Unfortunately no open-source, but AFAIR the code was security-reviewed by an independant expert.
member
Activity: 72
Merit: 10
July 20, 2015, 04:32:00 PM
#1
Hey guys, I'd like to bring up a question of finding a secure, fast and easy to use messenger application. Since cryptocommunity is based pretty heavily on privacy, decentralization, etc. I thought this is a good place to talk about that.

Among reports on NSA's surveillance practices, iCloud leaks, "The Snappening" et al. I've started searching for a way to communicate with people online in full privacy, without the risks of my messages and/or media files being read/seen by anyone for whom they are not intended.

Here's what I got:

1. WhatsApp and its direct counterparts: Viber, FB messenger, Skype, and the rest - just your average, very popular messenger app.

Completely out of the question. Anything that doesn't state security as one of its competitive advantages (like Telegram does, for example - more on that one later) can't be relied on, despite some preemptive measures that they're taking. It just doesn't matter how good an app is at encrypting messages, if the NSA are free to tap into the communications unobstructed - which Skype and FB have voluntarily agreed to: they're both part of the PRISM project. There's basically no telling if Whatsapp or Viber or any similar service won't do that too.

2. More security-oriented, sorta underground apps: Telegram, Cryptocat, RedPhone, TextSecure, etc.

All these seem to suffer from one or another inconvenience problem. Cryptocat has no functions, other than messaging texts, and you also have to transfer the chat names to people in person, if you want to really ensure the security. RedPhone only supports voice calls. TextSecure seems to lack such glaring issues and is pretty covenient, but it suffers from one problem, which is native to this category of messengers: the lack of people using them. A messaging app is only as useful as are people that are using it, so if it's so underground that none of your friends/colleagues/etc. use it, then you can't use it as well, no matter how secure it is.

The only messenger from this category that is relatively free from the problems of both convenience and popularity, is Telegram, which has all the features that you expect from a regular app and, I'd say, is somewhere in between underground and mainstream at the moment. It also has a special feature - secret chats, that is specifically tailored for secure conversations.

Ultimately, Telegram may very well be the best option at the current moment, but as its userbase grows, it can attract more attention from the government agencies, and ultimately suffer the same fate as Skype and FB - its encryption may be end-to-end, but the app itself isn't peer-to-peer, which means that it has centralized servers and people running those servers. And where there are people in charge, one cannot be 100% sure about their incorruptibility. Its another, although less grievous problem, is hazy monetary policy: currently they are running on investors' (Durov's, mainly) money, and they don't have plans for paid features, so it's not entirely clear as to what they're gonna do when the pot runs out. But again, this is a much, much lesser problem, compared to the security vulnerabilities associated with centralization.

3. Peer-to-peer messengers, completely underground: Bit Message, Bleep, Redact, TextHer, etc.

Most of these have some serious design flaws, which may or may not be fixed in the future: Redact fails to deliver 100% of the messages to the receiver, according to reviews in the Play Store. Bit Message, at this moment, seems to be completely off-limits to mobile devices, since it relies on a PoW algorithm, which will make your phone burst in flames while you're holding it.

Some of them are better and some are worse, but these are all plagued by the lack of their audience, even more so, than the previous category. Redact and TextHer have about 1500 downloads in the Play Store combined. Bleep appears to be the most popular among all of them, with about 100K downloads over the last 10 months or so, which is still abysmal, compared to Telegram's 50 million in the first year.
                                                                                                                                                                                                                                                                                         

So, ultimately it all comes down to this: you have to chose between security weak-spots, low usability/absent features or very low popularity, and you can't have them all at once. Or can you? Maybe I missed something, and there is a messenger, which offers a 100% secure p2p operation combined with convenience of some more popular apps? Share your opinions guys, what do you think?
Pages:
Jump to: